Security Intelligence Report Volume 6

The sixth edition of the Security Intelligence Report (SIR), Microsoft’s semi-annual report on the state of computer security was published on April 8, 2009. Using data derived from hundreds of millions of computers worldwide and some of the busiest online services on the Internet, this report provides an in-depth perspective on trends in:

Software vulnerabilities (both in Microsoft software and in third-party software)

Software exploits

Security and privacy breaches

Malicious and potentially unwanted software

E-mail, spam, and phishing

When I say 'in-depth', I mean it. At 184 pages in length, the report is extremely comprehensive and data driven. If you are a data junkie like me, the whole report is fascinating. I love reading about the industry vulnerability trends, seeing the history of where we have come from and the progress we have made, as well as where things are going and thinking about how we stay ahead in security. But if you are an IT Admin, the SIR can be far more than just fascinating. The SIR can help you understand the threat landscape and assess risk in your environment. For example:

Malicious software infection rates differ significantly for different versions of the Microsoft Windows operating system. Windows Vista was less infected at any service pack level than Windows XP. Comparing the latest service packs for each version, the infection rate of Windows Vista SP1 is 60.6 percent less than that of Windows XP SP3.

This is hard data that helps you make a decision about the most secure Microsoft operating system to deploy in your environment. And the SIR doesn’t just include a wealth of datapoints, it also includes clear guidance on mitigations and countermeasures for most threat and exploit trends investigated.

There are a number of key findings in the SIR relevant to Trustworthy Browsing as well. Rogue security software, phishing, and malicious website threats are rapidly increasing. These threats make it even more important for browsers to help users avoid the dangers of social engineering attacks and make safe browsing choices. Internet Explorer 8 does this with our SmartScreen Filter, which identifies and blocks sites on the web that are distributing malicious software.

I could easily take the SIR data and use it to support the great security features in IE8… But you can already learn more about IE8 security here in IEblog, and in my recent TechNet interview. Instead I’m asking our IT Admin readers to take the time to download and read the SIR, if you haven’t already. It can help you assess today’s security risks and understand the latest threats to your environment so you can take timely defensive steps to ensure your users and company assets are safe.

I don’t know if your team is responsible for this, but the Internet Explorer Application Compatibility VPC Images all expired yesterday. I depend on these for testing web apps in older versions of IE, and I’m in the middle of testing a release with a tight deadline. Will the updated release be posted today, or should I start finding alternative ways to test? Help!

@Merman: You need to read the report to understand the methodology. Keep in mind that it’s likely that most Win2k machines are being used in isolated environments and not being used to browse the web at large.

@Merman that chart comes from page 75 of the SIRv6 and reflects the number of computers cleaned for every 1000 MSRT executions, by operating system, in 2H08. There are fewer infected W2K machines, but as @EricLaw points out, that may be a matter of fewer W2K machines being used to browse the web.

@Kymberlee: probably – it could also mean that those W2k machines, managed by some competent sysadmins, disable services such as MS File Sharing, don’t include Terminal Server clients, and (being limited by MS to IE 6 SP1) use a different browser…

Because, in case you haven’t noticed, the chart states that 1 in 3 Windows XP RTM machines have been infected: more to the point, each bar doesn’t represent an OS versus the other, but an OS versus itself. 3.8 % of all running Windows 2000 sp4 machines got infected.

Mitch, you’re not reading the charts correctly. First off, the chart shows infections per *thousand* scanned, not hundred.

Secondly, your interpretation entirely ignores context; a better way of reading the chart is that *XP users who haven’t installed any of the service packs released in the last 8 years* has a 3.36% chance of being infected by malware detected by the MSRT. Obviously, anyone who doesn’t install patches is going to be at greater risk than anyone who’s on the latest service pack.

– while XP provides only ‘admin’ and ‘user’ account profiles out of the box, 2k provides ‘admin’, ‘user’ and ‘power user’: the latter actually helps as it is more efficient than a user account without actually granting full admin rights. A 2k basic user also disables any and all shell script execution (also in IE).

– 2k doesn’t hide the ‘administrator’ account, so it can be password-locked and/or disabled easily.

– 2k runs less services by default than XP: less attack surface.

– 2k doesn’t come with a firewall, so a 3rd-party one is most often found installed on it. XP SP2’s firewall brings a false sense of security: it’s a firewall. It’s hard as soup.

– 2k comes with IE 6sp1 (the one without popup blocker), so, except inside Intranets, it more often than not runs another browser. Said browser has its own script engine, so it can browse the Web even inside a limited user account.

Installing a 2k machine with a modern browser and firewall, working with a limited user account and a secured admin account, disabling network file shares and removing rights to system files will take a few clicks; doing the same under XP is either long and hard (Pro) or impossible (Home).

I’d like to see a more complete chart (with legends) that separates XP Pro and Home.

I don’t think any conclusions can be drawn from that. Vista is less of a target because no body uses it. That is also why the infection rate for 64 bit windows vista is less that 32 bit but when they are essentially the same product in terms of security. Also people using Vista are going to be more concerned about security than those using XP which means they will keep there systems up to date.

Wayne: Nice try, but no. 64bit Vista is fully compatible with 32bit Vista, so your explanation that it’s somehow less of a target makes no sense; bad guys will infect either. The difference between .3% and .37% is statistically irrelevent.

Your point that Vista users are more likely to be up-to-date may be true, but I fail to see how that no "conclusions can be drawn" from that.

Mitch, you must not have looked very hard, since 1> the scale is in the original report, and 2> the author made a comment responding to a comment on this exact topic.

Poweruser was deliberately removed from Win2k as you can trivially elevate to admin from power-user.

I have no idea what you mean by "A 2k basic user also disables any and all shell script execution"– if you’re suggesting that JScript doesn’t run in IE for limited users, you’re entirely incorrect.

Bashing XP’s firewall is entirely baseless; it’s an effective ingress firewall and is one of the #1 improvements made in XP. The caveat is that it was only enabled by default on XPSP2; someone who hasn’t patched their system in 8 years probably never turned it on. Similarly, while XP may have more services running, those services are significantly harder targets due to the SDL and the fact that there’s a firewall.

The real point, which you seem to have missed, is that a corporation which is managing their environment is entirely likely to have fully patched Win2kSP4 boxes, including perimeter UTM devices and IDS. On the other hand, a fully unpatched XP user is most likely a home user who disabled software updates and has no IT staff to secure either their network or their PC.

@Mitch 74 We are looking at malware infection rates here – a high or low infection rate does not necessarily mean that one OS is more or less secure; a lot of infections these days are a result of user behavior patterns and social engineering attacks. We believe that many of the W2K systems here are used in business environments and are less likely to be used for “risky” activities such as downloading music or videos from the Internet.

You may also be interested in the section of the SIR starting on page 89 that discusses the threat landscape at home vs the enterprise.

@Wayne I have to disagree with your assertion that the low rate of infection for Vista is just because attackers don’t care about the platform due to low market penetration. The security features within Vista definitely have an impact in reducing malware infection rates – given the large number of Vista systems in use worldwide in home environments we assume they are exposed to a similar mix of threats and attack as the XP systems and perform significantly better.

@Dan: first, I shouldn’t have to look OUTSIDE a graph to get its legends.

Second, I DID try to run Jscripts in w2k in Limited User accounts, to get a "you don’t have rights to run these" warning. At the very least, activeX controls are thoroughly disabled in Limited accounts, which disables AJAX (no more XMLHttpRequest), CSS filters (no more PNG alpha transparency), Flash, Java… that makes IE 6 unusable anyway.

Third, an inbound firewall is always much better than no firewall at all (big jump between XP SP1 and XP SP2). But a firewall that allows the user or admin to visualize what goes through a NIC is better – in both directions, I mean.

@Kymberlee: if we look at infection rates discrepancies between home and office use, having a split between ‘home’ and ‘pro’ versions would actually help: not many businesses run XP Home, and not many homes run XP Pro. Many businesses have strong policies and content filters, not so at home. This is, as you point out, part of the original article, but this distinction isn’t part of this post.

I don’t disagree with the BASE article, I don’t like how this blog post is made: it shows data without direct support (no legend: confusing) and tries to make a point through a presentation that is incomplete as presented: the post’s purpose is to sum up and draw a conclusion upon a lengthy report, but it misses the point somewhat due to ‘technnical’ errors.

Since there is a discrepancy between home and office use (as shown in the report), why not present the split inside the post? Would it be, by any chance, that while Vista/7 brought huge security improvements to the ‘home’ market, it was much less so with the ‘pro’ market, because correctly managed 2k/XP were already very solid? And that the post’s message: "if you run XP, you’ll win big security by migrating to Vista/7" would actually change to "if you run XP Home, you’ll win 3%; if you run XP Pro correctly, you’ll win .08 % with Vista/7".

Mitch, while I agree that you shouldn’t have to look outside a chart to get its scale, the fact remains that you were RESPONDING TO A COMMENT that contained the information. So complaining here is only making you look foolish.

Your claims about Win2k limited user accounts are entirely incorrect. Perhaps you’re confusing this with the Enhanced Security Configuration applied by default to ALL types of user accounts on Win2k3. Or perhaps you were in an organization that used GPO. But IE itself has/had no such limits.

Since you are clearly **interested** in this topic, why not actually READ the report instead of complaining about this necessarily concise summary?